Tool Usage Auditing
Overview: Comprehensive auditing of MCP tool usage, access patterns, and security events.
Tool usage auditing provides detailed visibility into how MCP tools are being accessed, used, and managed across the system. This enables security teams to identify anomalies, ensure compliance, and maintain security posture.
Audit Data Collection
Tool Access Logging
# Tool access audit logging
import time
import json
import hashlib
from typing import Dict, List, Optional, Any
from dataclasses import dataclass
from enum import Enum
class AuditEventType(Enum):
TOOL_ACCESS = "tool_access"
TOOL_EXECUTION = "tool_execution"
TOOL_FAILURE = "tool_failure"
PERMISSION_CHANGE = "permission_change"
CONFIGURATION_CHANGE = "configuration_change"
@dataclass
class AuditEvent:
event_id: str
timestamp: float
event_type: AuditEventType
user_id: str
tool_name: str
action: str
result: str
metadata: Dict[str, Any]
risk_level: str
compliance_tags: List[str]
class ToolUsageAuditor:
def __init__(self):
self.audit_store = AuditStore()
self.event_processor = EventProcessor()
self.risk_analyzer = RiskAnalyzer()
self.compliance_checker = ComplianceChecker()
def log_tool_access(self, user_id: str, tool_name: str, action: str, context: Dict) -> str:
"""Log tool access event with comprehensive metadata"""
# Generate unique event ID
event_id = self.generate_event_id()
# Collect comprehensive metadata
metadata = {
"ip_address": context.get("ip_address"),
"user_agent": context.get("user_agent"),
"session_id": context.get("session_id"),
"request_parameters": context.get("parameters", {}),
"authentication_method": context.get("auth_method"),
"tool_version": context.get("tool_version"),
"execution_context": context.get("execution_context"),
"resource_access": context.get("resource_access", []),
"data_accessed": context.get("data_accessed", []),
"network_activity": context.get("network_activity", [])
}
# Determine risk level
risk_level = self.risk_analyzer.assess_risk(user_id, tool_name, action, metadata)
# Check compliance requirements
compliance_tags = self.compliance_checker.get_compliance_tags(tool_name, action, metadata)
# Create audit event
audit_event = AuditEvent(
event_id=event_id,
timestamp=time.time(),
event_type=AuditEventType.TOOL_ACCESS,
user_id=user_id,
tool_name=tool_name,
action=action,
result="initiated",
metadata=metadata,
risk_level=risk_level,
compliance_tags=compliance_tags
)
# Store audit event
self.audit_store.store_event(audit_event)
# Process event for real-time analysis
self.event_processor.process_event(audit_event)
return event_id
def log_tool_execution_result(self, event_id: str, result: str, execution_data: Dict):
"""Log tool execution result and update audit event"""
# Get original event
original_event = self.audit_store.get_event(event_id)
if not original_event:
return
# Update execution metadata
execution_metadata = {
"execution_time": execution_data.get("execution_time"),
"exit_code": execution_data.get("exit_code"),
"output_size": execution_data.get("output_size"),
"error_messages": execution_data.get("errors", []),
"warnings": execution_data.get("warnings", []),
"resources_consumed": execution_data.get("resources_consumed", {}),
"files_accessed": execution_data.get("files_accessed", []),
"network_connections": execution_data.get("network_connections", []),
"process_spawned": execution_data.get("processes_spawned", [])
}
# Create completion event
completion_event = AuditEvent(
event_id=self.generate_event_id(),
timestamp=time.time(),
event_type=AuditEventType.TOOL_EXECUTION,
user_id=original_event.user_id,
tool_name=original_event.tool_name,
action=original_event.action,
result=result,
metadata={**original_event.metadata, **execution_metadata},
risk_level=self.risk_analyzer.assess_execution_risk(result, execution_metadata),
compliance_tags=original_event.compliance_tags
)
# Store completion event
self.audit_store.store_event(completion_event)
# Link events
self.audit_store.link_events(event_id, completion_event.event_id)
# Process completion event
self.event_processor.process_event(completion_event)
def generate_event_id(self) -> str:
"""Generate unique event identifier"""
timestamp = str(time.time())
random_data = os.urandom(16)
return hashlib.sha256(f"{timestamp}{random_data}".encode()).hexdigest()[:16]
User Behavior Analysis
# User behavior analysis for auditing
class UserBehaviorAnalyzer:
def __init__(self):
self.behavior_db = BehaviorDatabase()
self.pattern_detector = PatternDetector()
self.anomaly_detector = AnomalyDetector()
def analyze_user_behavior(self, user_id: str, time_window: int = 86400) -> BehaviorAnalysis:
"""Analyze user behavior patterns for auditing"""
# Get user's recent activity
recent_events = self.audit_store.get_user_events(user_id, time_window)
# Analyze access patterns
access_patterns = self.analyze_access_patterns(recent_events)
# Analyze tool usage patterns
tool_usage = self.analyze_tool_usage(recent_events)
# Analyze timing patterns
timing_patterns = self.analyze_timing_patterns(recent_events)
# Detect anomalies
anomalies = self.anomaly_detector.detect_behavioral_anomalies(
user_id, recent_events
)
# Calculate risk score
risk_score = self.calculate_behavioral_risk_score(
access_patterns, tool_usage, timing_patterns, anomalies
)
return BehaviorAnalysis(
user_id=user_id,
analysis_period=time_window,
access_patterns=access_patterns,
tool_usage=tool_usage,
timing_patterns=timing_patterns,
anomalies=anomalies,
risk_score=risk_score
)
def analyze_access_patterns(self, events: List[AuditEvent]) -> AccessPatterns:
"""Analyze user access patterns"""
# Group events by source IP
ip_patterns = {}
for event in events:
ip = event.metadata.get("ip_address")
if ip not in ip_patterns:
ip_patterns[ip] = []
ip_patterns[ip].append(event)
# Analyze geographical patterns
geo_patterns = self.analyze_geographical_patterns(ip_patterns)
# Analyze device patterns
device_patterns = self.analyze_device_patterns(events)
# Analyze session patterns
session_patterns = self.analyze_session_patterns(events)
return AccessPatterns(
ip_patterns=ip_patterns,
geographical_patterns=geo_patterns,
device_patterns=device_patterns,
session_patterns=session_patterns
)
def analyze_tool_usage(self, events: List[AuditEvent]) -> ToolUsageAnalysis:
"""Analyze tool usage patterns"""
# Group events by tool
tool_usage = {}
for event in events:
tool_name = event.tool_name
if tool_name not in tool_usage:
tool_usage[tool_name] = {
"usage_count": 0,
"success_rate": 0,
"average_execution_time": 0,
"risk_distribution": {},
"action_patterns": {}
}
tool_usage[tool_name]["usage_count"] += 1
# Track action patterns
action = event.action
if action not in tool_usage[tool_name]["action_patterns"]:
tool_usage[tool_name]["action_patterns"][action] = 0
tool_usage[tool_name]["action_patterns"][action] += 1
# Track risk distribution
risk_level = event.risk_level
if risk_level not in tool_usage[tool_name]["risk_distribution"]:
tool_usage[tool_name]["risk_distribution"][risk_level] = 0
tool_usage[tool_name]["risk_distribution"][risk_level] += 1
# Calculate usage statistics
for tool_name, stats in tool_usage.items():
tool_events = [e for e in events if e.tool_name == tool_name]
# Calculate success rate
successful_events = [e for e in tool_events if e.result == "success"]
stats["success_rate"] = len(successful_events) / len(tool_events) if tool_events else 0
# Calculate average execution time
execution_times = [
e.metadata.get("execution_time", 0) for e in tool_events
if e.metadata.get("execution_time")
]
stats["average_execution_time"] = sum(execution_times) / len(execution_times) if execution_times else 0
return ToolUsageAnalysis(
tool_usage_stats=tool_usage,
most_used_tools=sorted(tool_usage.items(), key=lambda x: x[1]["usage_count"], reverse=True)[:10],
high_risk_activities=self.identify_high_risk_activities(tool_usage)
)
Compliance Auditing
Regulatory Compliance Tracking
# Compliance auditing implementation
class ComplianceAuditor:
def __init__(self):
self.compliance_rules = {}
self.audit_store = AuditStore()
self.report_generator = ReportGenerator()
def setup_compliance_rules(self):
"""Setup compliance rules for different regulations"""
# GDPR compliance rules
self.compliance_rules["gdpr"] = {
"data_access_logging": {
"required": True,
"retention_period": 2555 * 24 * 3600, # 7 years
"description": "Log all personal data access"
},
"consent_tracking": {
"required": True,
"description": "Track user consent for data processing"
},
"data_portability": {
"required": True,
"description": "Enable data export capabilities"
},
"right_to_erasure": {
"required": True,
"description": "Support data deletion requests"
}
}
# HIPAA compliance rules
self.compliance_rules["hipaa"] = {
"phi_access_logging": {
"required": True,
"retention_period": 6 * 365 * 24 * 3600, # 6 years
"description": "Log all PHI access"
},
"minimum_necessary": {
"required": True,
"description": "Ensure minimum necessary access"
},
"audit_controls": {
"required": True,
"description": "Implement audit controls"
}
}
# PCI DSS compliance rules
self.compliance_rules["pci_dss"] = {
"cardholder_data_access": {
"required": True,
"retention_period": 365 * 24 * 3600, # 1 year
"description": "Log cardholder data access"
},
"access_control": {
"required": True,
"description": "Implement access controls"
},
"vulnerability_management": {
"required": True,
"description": "Regular vulnerability assessments"
}
}
def check_compliance(self, regulation: str, time_period: int) -> ComplianceReport:
"""Check compliance for specific regulation"""
if regulation not in self.compliance_rules:
return ComplianceReport(
regulation=regulation,
compliant=False,
reason="Unknown regulation"
)
rules = self.compliance_rules[regulation]
compliance_results = []
for rule_name, rule_config in rules.items():
result = self.check_compliance_rule(rule_name, rule_config, time_period)
compliance_results.append(result)
# Determine overall compliance
failed_rules = [r for r in compliance_results if not r.compliant]
overall_compliant = len(failed_rules) == 0
return ComplianceReport(
regulation=regulation,
compliant=overall_compliant,
rule_results=compliance_results,
failed_rules=failed_rules,
compliance_score=len([r for r in compliance_results if r.compliant]) / len(compliance_results)
)
def check_compliance_rule(self, rule_name: str, rule_config: Dict, time_period: int) -> ComplianceRuleResult:
"""Check specific compliance rule"""
if rule_name == "data_access_logging":
return self.check_data_access_logging(rule_config, time_period)
elif rule_name == "consent_tracking":
return self.check_consent_tracking(rule_config, time_period)
elif rule_name == "audit_controls":
return self.check_audit_controls(rule_config, time_period)
else:
return ComplianceRuleResult(
rule_name=rule_name,
compliant=False,
reason="Unknown rule"
)
def check_data_access_logging(self, rule_config: Dict, time_period: int) -> ComplianceRuleResult:
"""Check data access logging compliance"""
# Get all data access events
data_access_events = self.audit_store.get_events_by_type(
AuditEventType.TOOL_ACCESS,
time_period
)
# Check if all data access is logged
missing_logs = []
for event in data_access_events:
if not self.is_data_access_properly_logged(event):
missing_logs.append(event.event_id)
if missing_logs:
return ComplianceRuleResult(
rule_name="data_access_logging",
compliant=False,
reason=f"Missing logs for {len(missing_logs)} events",
details={"missing_logs": missing_logs}
)
return ComplianceRuleResult(
rule_name="data_access_logging",
compliant=True,
reason="All data access properly logged"
)
def generate_compliance_report(self, regulation: str, time_period: int) -> Dict:
"""Generate comprehensive compliance report"""
# Check compliance
compliance_result = self.check_compliance(regulation, time_period)
# Generate detailed report
report = self.report_generator.generate_compliance_report(
regulation=regulation,
compliance_result=compliance_result,
time_period=time_period
)
return report
Audit Analytics
Advanced Audit Analytics
# Advanced audit analytics
class AuditAnalytics:
def __init__(self):
self.analytics_engine = AnalyticsEngine()
self.ml_analyzer = MLAnalyzer()
self.visualization_engine = VisualizationEngine()
def perform_risk_analysis(self, time_period: int) -> RiskAnalysisReport:
"""Perform comprehensive risk analysis"""
# Get audit events
events = self.audit_store.get_events(time_period)
# Analyze risk patterns
risk_patterns = self.analyze_risk_patterns(events)
# Identify high-risk users
high_risk_users = self.identify_high_risk_users(events)
# Analyze tool risk distribution
tool_risk_analysis = self.analyze_tool_risk_distribution(events)
# Detect risk trends
risk_trends = self.detect_risk_trends(events)
return RiskAnalysisReport(
analysis_period=time_period,
risk_patterns=risk_patterns,
high_risk_users=high_risk_users,
tool_risk_analysis=tool_risk_analysis,
risk_trends=risk_trends
)
def detect_anomalies(self, time_period: int) -> AnomalyDetectionReport:
"""Detect anomalies in audit data"""
# Get audit events
events = self.audit_store.get_events(time_period)
# Statistical anomaly detection
statistical_anomalies = self.ml_analyzer.detect_statistical_anomalies(events)
# Behavioral anomaly detection
behavioral_anomalies = self.ml_analyzer.detect_behavioral_anomalies(events)
# Temporal anomaly detection
temporal_anomalies = self.ml_analyzer.detect_temporal_anomalies(events)
# Network anomaly detection
network_anomalies = self.ml_analyzer.detect_network_anomalies(events)
return AnomalyDetectionReport(
analysis_period=time_period,
statistical_anomalies=statistical_anomalies,
behavioral_anomalies=behavioral_anomalies,
temporal_anomalies=temporal_anomalies,
network_anomalies=network_anomalies
)
def generate_audit_dashboard(self, time_period: int) -> Dict:
"""Generate comprehensive audit dashboard"""
# Get key metrics
metrics = self.calculate_audit_metrics(time_period)
# Generate visualizations
visualizations = self.visualization_engine.generate_audit_visualizations(time_period)
# Get recent alerts
recent_alerts = self.get_recent_audit_alerts(time_period)
# Get compliance status
compliance_status = self.get_compliance_status()
return {
"metrics": metrics,
"visualizations": visualizations,
"recent_alerts": recent_alerts,
"compliance_status": compliance_status,
"last_updated": time.time()
}
Audit Reporting
Comprehensive Audit Reports
# Audit reporting system
class AuditReportGenerator:
def __init__(self):
self.template_engine = TemplateEngine()
self.data_aggregator = DataAggregator()
self.chart_generator = ChartGenerator()
def generate_executive_summary(self, time_period: int) -> ExecutiveSummary:
"""Generate executive summary of audit findings"""
# Aggregate key metrics
total_events = self.data_aggregator.count_events(time_period)
high_risk_events = self.data_aggregator.count_high_risk_events(time_period)
compliance_score = self.data_aggregator.calculate_compliance_score(time_period)
# Identify top issues
top_issues = self.data_aggregator.get_top_security_issues(time_period)
# Calculate trends
trend_analysis = self.data_aggregator.analyze_trends(time_period)
return ExecutiveSummary(
reporting_period=time_period,
total_events=total_events,
high_risk_events=high_risk_events,
compliance_score=compliance_score,
top_issues=top_issues,
trend_analysis=trend_analysis,
recommendations=self.generate_recommendations(top_issues, trend_analysis)
)
def generate_detailed_report(self, time_period: int) -> DetailedAuditReport:
"""Generate detailed audit report"""
# Executive summary
executive_summary = self.generate_executive_summary(time_period)
# Detailed findings
detailed_findings = self.data_aggregator.get_detailed_findings(time_period)
# User activity analysis
user_activity = self.data_aggregator.analyze_user_activity(time_period)
# Tool usage analysis
tool_usage = self.data_aggregator.analyze_tool_usage(time_period)
# Risk analysis
risk_analysis = self.data_aggregator.perform_risk_analysis(time_period)
# Compliance analysis
compliance_analysis = self.data_aggregator.analyze_compliance(time_period)
return DetailedAuditReport(
executive_summary=executive_summary,
detailed_findings=detailed_findings,
user_activity=user_activity,
tool_usage=tool_usage,
risk_analysis=risk_analysis,
compliance_analysis=compliance_analysis,
charts=self.chart_generator.generate_audit_charts(time_period)
)
Best Practices
Audit Implementation Guidelines
- Comprehensive Logging: Log all tool access and usage events
- Real-time Analysis: Implement real-time audit event processing
- Compliance Integration: Integrate regulatory compliance requirements
- Anomaly Detection: Use ML-based anomaly detection
- Regular Reporting: Generate regular audit reports and dashboards
- Data Retention: Implement appropriate data retention policies
- Privacy Protection: Protect sensitive audit data
- Access Controls: Implement strict access controls for audit data
Common Audit Challenges
- Data Volume: Managing large volumes of audit data
- Performance Impact: Minimizing performance impact of logging
- Data Privacy: Balancing audit requirements with privacy
- False Positives: Reducing false positive alerts
- Compliance Complexity: Managing multiple compliance requirements
- Real-time Processing: Processing audit events in real-time
Tool Usage Auditing provides comprehensive visibility into MCP tool usage patterns, enabling effective security monitoring, compliance management, and risk assessment.